[Question] When does the master token expire ?

[mxrch]

Hi ! First, thanks for your library and the linked articles (btw, the encryptedpasswd one is dead, you should link this snapshot instead : https://web.archive.org/web/20150814054004/http://codedigging.com/blog/2014-06-09-about-encryptedpasswd/)

I want to include a new feature in my project GHunt that uses the Google Play services and it works perfectly using gpsoauth and the informations I intercepted from the Android App, but I need to make it works with 2FA too since it will be active by default for all the accounts (https://www.theverge.com/2021/5/6/22422778/google-accounts-enabling-two-step-verification-default), to make it a minimum user-friendly

The login flow I currently use in GHunt is : a browser extension dumps all the required cookies, and sends it to GHunt, then we can use it for a very long time, because it has an expiration date of 2 years. So to add the gps oauth with minimal action for the user, I was thinking about sending the user to this link from the extension : https://accounts.google.com/o/android/auth?&source=android&lang=en&langCountry=en_us&xoauth_display_name=Android%20Phone&cc=us&tmpl=new_account

Then we can get the oauth2 token from the cookies, and finally we can get the "master token". But do you know how long does it last ? Is it safe to store it to reuse it for like 1 year ?

Thank you in advance !

[simon-weber]

Hm, I'm not sure. My guess is they're like refresh tokens, which don't expire but might be revoked under some circumstances.

[mxrch]

Okay, thank you for your quick response My first tests shows that generating a new master token doesn't revoke the older ones, so it might be good !

Don't hesitate to close the issue if you want ☺️

[mxrch]

This person confirms that it never expires : https://ethanblake4.medium.com/how-i-stole-the-data-in-millions-of-peoples-google-accounts-aa1b72dcc075

[simon-weber]

Haha, fair enough!